KubernetesClientException: ClusterRole or Role

3/21/2019

Upon deploying a service with Spring Cloud Kubernetes Discovery Client, I get the KubernetesClientException stating that the user "default" is forbidden to access pods.

I have already added a Role and a Rolebinding as specified here

The guide states that a ClusterRole is necessary. But that is not an option for me, as we share the cluster with other departments. I only want the role to affect our project / namespace.

Is ClusterRole required or should Role be sufficient?

-- Anders Lassen
kubernetes
openshift-enterprise
rbac
spring-cloud-kubernetes

1 Answer

3/25/2019

To allow a service account access to these one needs to create a role with the necessary permissions and assign it to the account.This is done with a cluster role, or a role, if one only wants it in one namespace, and a role binding, which is specific to a namespace.

It says that you can use either Role or ClusterRole.

Just bear in mind when creating a Role a namespace should be defined. i.e.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: mynamespace
  name: service-discovery-client
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["services", "pods", "configmaps", "endpoints"]
  verbs: ["get", "watch", "list"]
-- A_Suh
Source: StackOverflow